The Brexit Data Blockade?

On 29th of March, as things stand at the time of writing, the UK will be leaving the EU (some of our intrepid Microsoft Dynamics 365 experts will hopefully have just returned home after making the most of our final day of EU membership attending CRMUG Summit EMEA in Amsterdam!). If that ends up being without a deal, that could end up having implications for UK companies transferring data across national boundaries. It might not be caught up in a lorry park in Kent, but without a bit of preparation, you could find your data transfers being impacted.

While GDPR and its implementation in the UK has been the
focus for over a year – and whatever happens with Brexit it will remain in
effect in the UK – we may now need to think of ourselves as outsiders with
respect to the EU GDPR.

From the time of Brexit, any data flowing from the EU to the UK would need to be
treated in the same way as any data currently flowing from the EU (including
the UK) to other third countries such as the US. Broadly, this will mean that
either:

The EU makes an “adequacy decision”, essentially
stating that the UK data protection regime is at least as strong as those in
the EU. As GDPR is to be retained in the UK there should be no reason this
won’t be forthcoming eventually, but may take some time.

You should implement standard contractual
clauses – text defined by the ICO to add into your contracts to ensure data
protection safeguards. This will likely be the short-term solution for most SMEs,
and can
be obtained from the ICO

Larger organisations that will still have a
presence in the EU can use binding corporate rules to demonstrate their data
protection compliance worldwide

Data transfers from
the UK to the EU will not be impacted, as the government has already
confirmed that they will not be introducing any additional regulations on this.
However, you may need to update your documentation such as privacy notices to
make it clear where personal data is being sent. You may also have contracts in
place stating that data will not leave the EU, which may need to be updated to
include the UK.

So far, so good – if you’re dealing with the UK and EU then there might be a bit more paperwork to do, but hopefully not too much of a problem if you’re prepared. But what about other countries? While our focus has been on the EU and GDPR, other countries have been busy implementing their own data protection legislation. In particular, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and USA currently have adequacy decisions from the EU to some extent, indicating they have similar data privacy protection as GDPR. As such, they will have similar restrictions on the transfer of personal data, and while part of the EU the adequacy decisions will have permitted the transfer of data from these countries to the UK. When we are outside the EU, the UK will need to renegotiate those arrangements as well as that with the EU itself, so you should take advice from the authorities in those countries.